This installs:
- /lib/libnss_mxshadow.so.2 : nss service to query shadow entries via TLS from a server
- /usr/sbin/mxshadowsrv : The server
At runtime, the nss service needs these files:
- /etc/mxshadow.conf : Configuration file containing server address and port
- /etc/mxshadow.cert.pem : Certificate to verify the server
The format of the configuration file is
# address and port of mxshadow server
server = 141.14.16.131
port = 872
At runtime, the server needs the certificate file and the related key file. These are specified via its command line:
mxshadowsrv --key-file FILENAME --cert-file FILENAME [--address ADDRESS] [--port PORT} SHADOW-FILEANME
The server monitors the shadow file for changes and will re-read it if it is changed or replaced.
The source package contains these tools, which are build but not installed:
- create-key.sh : Shell script to create key and certificat for the server
- test_server : Standalone program to query the server ( usage: test_server username )
- test_query_shadow: Standalone program to test getspnam (usage: test_query_shadow username )
- This package is installed from a bee file
- The key and cert files have been generated with
create-key.sh /etc/mxshadow.confand/etc/mxshadow.cert.pemare installed from mxtools.- A systemd service unit
/etc/systemd/system/mxshadow.serviceto run the server is also installed from mxtools. - The Makefile in
/package/nis/srcgenerates a shadow map/package/nis/var/shadow - The key and certificate files for the server are stored in /package/nis/etc/
- Tools like login, su or sshd which want to do password authentication, use the PAM library. See pam(8).
- pam reads config files, e.g.
/etc/pamd.d/sshd - These file deletegate to pam module plugins. E.g. with
auth required pam_unix.so pam_unix.sousesgetpwent()andgetspent()from glibc.- glibc reads the configuration file
/etc/nsswitch.conf - This file delegates to nss service providers, e.g.
shadow: files mxshadowforlibnss_files.so.2andlibnss_mxshadow.so.2